Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: CORB check. #1312

Merged
merged 3 commits into from Mar 30, 2022
Merged

feat: CORB check. #1312

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e903faa
feat: CORB check.
hemanth Mar 29, 2022
1df3ec7
Update lib/fetch/util.js
ronag Mar 30, 2022
1504d32
Update test/fetch/util.js
ronag Mar 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
39 changes: 38 additions & 1 deletion lib/fetch/util.js
View file
Open in desktop
Expand Up @@ -318,7 +318,44 @@ function sameOrigin (A, B) {

// https://fetch.spec.whatwg.org/#corb-check
function CORBCheck (request, response) {
// TODO
// 1. If request’s initiator is "download", then return allowed.
if (request.initiator === 'download') {
return 'allowed'
}

// 2. If request’s current URL’s scheme is not an HTTP(S) scheme, then return allowed.
if (!/^https?$/.test(request.currentURL.scheme)) {
return 'allowed'
}

// 3. Let mimeType be the result of extracting a MIME type from response’s header list.
const mimeType = response.headersList.get('content-type')

console.log(response)
ronag marked this conversation as resolved.
Show resolved Hide resolved

// 4. If mimeType is failure, then return allowed.
if (mimeType === '') {
return 'allowed'
}

// 5. If response’s status is 206 and mimeType is a CORB-protected MIME type, then return blocked.

const isCORBProtectedMIME =
(/^text\/html\b/.test(mimeType) ||
/^application\/javascript\b/.test(mimeType) ||
/^application\/xml\b/.test(mimeType)) && !/^application\/xml\+svg\b/.test(mimeType)

if (response.status === 206 && isCORBProtectedMIME) {
return 'blocked'
}

// 6. If determine nosniff with response’s header list is true and mimeType is a CORB-protected MIME type or its essence is "text/plain", then return blocked.
// https://fetch.spec.whatwg.org/#determinenosniff
if (response.headersList.get('x-content-type-options') && isCORBProtectedMIME) {
return 'blocked'
}

// 7. Return allowed.
return 'allowed'
}

Expand Down
46 changes: 46 additions & 0 deletions test/fetch/util.js
View file
Open in desktop
Expand Up @@ -113,3 +113,49 @@ test('sameOrigin', (t) => {

t.end()
})

//
ronag marked this conversation as resolved.
Show resolved Hide resolved
test('CORBCheck', (t) => {
const allowedRequests = [{
initiator: 'download',
currentURL: { scheme: '' }
}, {
initiator: '',
currentURL: { scheme: 'https' }
}
]

const response = { headersList: { get () { return '' } } }

allowedRequests.forEach((request) => {
t.ok(util.CORBCheck(request, response))
})

t.ok(util.CORBCheck({
initiator: '',
currentURL: { scheme: '' }
}, response))

const protectedResponses = [{
status: 206,
headersList: { get () { return 'text/html' } }
}, {
status: 206,
headersList: { get () { return 'application/javascript' } }
}, {
status: 206,
headersList: { get () { return 'application/xml' } }
}, {
status: 218,
headersList: { get (type) { return type === 'content-type' ? 'text/html' : 'x-content-type-options' } }
}]

protectedResponses.forEach(response => {
t.equal(util.CORBCheck({
initiator: '',
currentURL: { scheme: 'https' }
}, response), 'blocked')
})

t.end()
})